VIP Bug ?



  • Hi,
    I have interesting problem with my SSG5 OS 6.3.0r4.0.

    Following settings:

    **set service “Tecom_TCP/UDP” protocol tcp src-port 0-65535 dst-port 3001-3001
    set service “Tecom_TCP/UDP” + udp src-port 0-65535 dst-port 3001-3001

    set interface “ethernet0/0” zone “Untrust”

    set interface ethernet0/0 ip 10.0.0.1/24
    set interface ethernet0/0 route

    set interface bgroup0 ip 192.168.32.1/24
    set interface bgroup0 route

    set interface ethernet0/0 ip manageable
    set interface bgroup0 ip manageable

    set interface ethernet0/0 manage ping
    set interface ethernet0/0 manage telnet
    set interface ethernet0/0 manage web

    set interface ethernet0/0 vip interface-ip 3001 “Tecom_TCP/UDP” 192.168.32.184

    set interface ethernet0/0 dip 4 10.0.0.10 10.0.0.20 fix-port

    set policy id 90 from “Untrust” to “Trust”  “Any” “VIP(ethernet0/0)” “Tecom_TCP/UDP” permit log
    set policy id 90
    exit

    set policy id 87 name “Tecom_TCP/UDP” from “Trust” to “Untrust”  “Any” “Any” “Tecom_TCP/UDP” nat src permit log
    set policy id 87
    set log session-init
    exit**

    What is happening:

    On TCP everything works like a charm, both ways I can get in and out, however on UDP site it does not. I can only get out on UDP.
    If I swap TCP with UDP in places

    set service “Tecom_TCP/UDP” protocol udp src-port 0-65535 dst-port 3001-3001
    set service “Tecom_TCP/UDP” + tcp src-port 0-65535 dst-port 3001-3001

    then UDP starts working and TCP stops.

    Any ideas why? This is the last rule in VIP, I have other rules there which works both ways.

    Please let me know if I have missed something in my config.

    Thank you for all help in advance.
    Mark



  • set vip multi-port
    reset

    VIP basically not support service definition with multi port/protocol


 

41
Online

38.5k
Users

12.7k
Topics

44.5k
Posts